Skip to main content

Twitter API vulnerable to replay attacks

Reading about Google's security today reminded me of an vulnerability I discovered in the @ a while ago. October 4th to be exact. The response was a typical but as of this writing the replay attack vulnerability has not been fixed.

Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.
Notification

My email to security@twitter.com on October 4th and their response.
A single OAuth request can currently be made repeated until the timestamp expires. For example the below url worked in a browser repeatedly.

http://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=DC0sePOBbQ8bYdC8r4Smg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1286249576&oauth_nonce=2568844471&oauth_version=1.0&oauth_token=9436992-nlnplVVuWbpQ6pG2992RCK01cOaTpiUIZXnwZuD3W0&oauth_signature=iNjBZzaH46J0K/4dRG74GG9skoM%3D

Abraham

----------

Hi Abraham,

Thanks for the note. We'll check it out.

-Bob
Example

Here is a snap shot of a POST request to create a list named "replayattack" at 00:16:18 GMT. Shortly after I made a request with the same @ parameters at 00:17:57 GMT that succeeded in creating a second list with the slug of replayattack-20. Both request use the same oauth_timestamp, oauth_nonce and oauth_signature values.

Severity

How serious is this vulnerability? Well luckily the vector seems to be pretty small but I'm not a security expert so there could be hidden vectors I have not considered.
  • The initial request must to be intercepted by an attacker so the use of SSL and certificate verification should protect against the attack.
  • Replay requests are limited to five minutes after the initial request before the timestamp gets rejected.
  • Requests can not be modified or the request will be rejected for having an invalid signature.
  • Duplicate statuses and messages can not be posted because Twitter rejects duplicates of recent statuses.
  • Requests to private resources like messages or protected timelines have not only the response of the initial request but any statuses or messages created in the following five minutes as well.
Prevention

What can Twitter do to prevent this? Twitter can store nonces for five minutes and if a single nonce hits the API more then once reject the subsequent requests. The OAuth specification has this to say about nonces:
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
It is possible that Twitter decided to write off this vulnerability instead of trying to scale nonce checking for over 6 billion API requests every day.
Labels:

Comments

Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq...
6 comments
Read more

Google+ could bring world peace

Google is the largest web application on the planet with over one billion unique visiters each month. This means that one in seven people on the entire planet used Google over the last 30 days. Having such a massive user base means that someone from pretty much every single geographical, political, and religious group is a user of Google. Once Google+  hits a billion our pals from Mountain View will be in the unique position of potentially bringing about world peace. And I don't mean bringing FarmVille to Google+. How so, you might ask? Well Google is collecting so much personal information that they can create incredibly accurate profiles of personal beliefs and comfort zones. With these personas, the 900,000 machines , a few algorithms, and some time Google can connect people one follow at a time that are of similar interests but ever so slightly contrarian. Eventually even the most conservative views will become more open and accepting...
1 comment
Read more

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite...
31 comments
Read more